GamePolitics - Comments for "SOE: User Data and Credit Card Information Compromised, Services Taken Down"http://gamepolitics.com/2011/05/02/soe-user-data-and-credit-card-information-compromised-services-taken-down
Comments for "SOE: User Data and Credit Card Information Compromised, Services Taken Down"enRe: SOE: User Data and Credit Card Information Compromised, ...http://gamepolitics.com/2011/05/02/soe-user-data-and-credit-card-information-compromised-services-taken-down#comment-270229
<p>If so that only adds to how angry I am this morning as I was hoping t odownload any updates and finally be able to be online again.</p>Tue, 03 May 2011 15:40:29 +0000hellfire7885comment 270229 at http://gamepolitics.comRe: SOE: User Data and Credit Card Information Compromised, ...http://gamepolitics.com/2011/05/02/soe-user-data-and-credit-card-information-compromised-services-taken-down#comment-270225
<p>Pretty much.</p><p>In general hashed password lists are only good for asking 'is this the password?', but poor for finding out what the password is.&nbsp; Any (standard) modern system is likely to be difficult enough to break as to be useless to them because it comes down to raw math... as long as they did not try to implement their own algorithm it comes down to brute forcing it.</p>Tue, 03 May 2011 13:29:44 +0000Neenekocomment 270225 at http://gamepolitics.comRe: SOE: User Data and Credit Card Information Compromised, ...http://gamepolitics.com/2011/05/02/soe-user-data-and-credit-card-information-compromised-services-taken-down#comment-270224
<p>Or the two networks are connected, and they are only now discovering that the breech crossed both systems.</p>Tue, 03 May 2011 13:25:36 +0000Neenekocomment 270224 at http://gamepolitics.comRe: SOE: User Data and Credit Card Information Compromised, ...http://gamepolitics.com/2011/05/02/soe-user-data-and-credit-card-information-compromised-services-taken-down#comment-270212
<p>Good man.</p><p>&nbsp;</p><p>I don't claim, by the way, to understand fully the implementation of hashing methods into a security system. I know the basics via coursework but I haven't studied higher-level implementation concepts yet.</p>Tue, 03 May 2011 04:15:57 +0000kefkakrazycomment 270212 at http://gamepolitics.comRe: SOE: User Data and Credit Card Information Compromised, ...http://gamepolitics.com/2011/05/02/soe-user-data-and-credit-card-information-compromised-services-taken-down#comment-270211
<p>Makes me glad I made absolute sure my&nbsp;PSN account password was unique to that account.</p>Tue, 03 May 2011 03:23:06 +0000hellfire7885comment 270211 at http://gamepolitics.comRe: SOE: User Data and Credit Card Information Compromised, ...http://gamepolitics.com/2011/05/02/soe-user-data-and-credit-card-information-compromised-services-taken-down#comment-270210
<p>So morale of the story is if they did use this method, chances are that while everyone SHOULD change their password, the chances of the hackers having it in any usable form (barring shit passwords) are pretty low.</p><p>Good to know.&nbsp;</p>Tue, 03 May 2011 03:16:50 +0000Cerabret100comment 270210 at http://gamepolitics.comRe: SOE: User Data and Credit Card Information Compromised, ...http://gamepolitics.com/2011/05/02/soe-user-data-and-credit-card-information-compromised-services-taken-down#comment-270209
<p>Or at the least saw whath append with PSN and figured other&nbsp;Sony networks could be broken into using similar methods.</p>Tue, 03 May 2011 03:12:52 +0000hellfire7885comment 270209 at http://gamepolitics.comRe: SOE: User Data and Credit Card Information Compromised, ...http://gamepolitics.com/2011/05/02/soe-user-data-and-credit-card-information-compromised-services-taken-down#comment-270208
<p>You forgot one important fact:</p> <p>A hash ease of reverse engineering is inversely proportional to the collision risk of said hash algorithm. For example, if you store a hash of 10 characters for passwords that range from 1 to 9 characters, you can have an algorithm that has 0 chance of collision (every possible hash is unique), however, this makes reverse-engineering the hash that much more easy. However, if you have a 10 characters long hash for password ranging in length from 4 to 20 characters, there is no way for you to find an algorithm that will not create collision. Still, it will make it that much harder to reverse-engineer the hashes since each hash has multiple possible source.</p> <p>The way hashes work is usually they will add a known salt to the password (a key of sort) and then pass it through one of a multiple of algorithm. Btw, the more algorithm, the LESS secure the password hashing ends up (anything passed to the function will end up with the same hash and thus will be verified. On the + side, go try and reverse-engineer that :P ) the same way using a random number to seed the next number of the same random number generator will quickly destroy any randomness in the system.</p> <p>Anyway, what would be important to know here is which security they were the most worried about: Their network (big hash, low collision, higher risk of reverse engineering if you steal the data, but obviously they didn't think about that) or an average user (smaller hash, higher collision, the reverse engineering is less likely but the user could have false positive with wrong passwords on their network). I'd normally wager the first, but considering how little of an understanding Sony seems to have had of security in general, I'd say it's anybody's guess.</p>Tue, 03 May 2011 02:21:48 +0000DorthLouscomment 270208 at http://gamepolitics.comRe: SOE: User Data and Credit Card Information Compromised, ...http://gamepolitics.com/2011/05/02/soe-user-data-and-credit-card-information-compromised-services-taken-down#comment-270203
<p>(EDIT: New post instead of reply, ack.&nbsp; Would be nice if you guys fixed the backend so that clicking on Reply and then logging in didn't dump you to a new post box...)</p>Tue, 03 May 2011 01:38:42 +0000Thadcomment 270203 at http://gamepolitics.comRe: SOE: User Data and Credit Card Information Compromised, ...http://gamepolitics.com/2011/05/02/soe-user-data-and-credit-card-information-compromised-services-taken-down#comment-270204
<p>It's almost certainly the same people in a second targeted attack, but as for &quot;having it in for them&quot; -- well, it COULD&nbsp;be somebody cheesed off at the Hotz settlement, but really you don't need an ulterior motive to break into a major company's servers and steal its customer data; the credit card/ID&nbsp;theft potential is an end in and of itself.&nbsp; Every single Fortune 500 company is a potential target for this kind of attack, regardless of company politics or recent PR situation.</p><p>Again, it's possible this was done by a group (it IS&nbsp;most likely a group and not an individual)&nbsp;that has a grudge against Sony, but it could just be that they were looking for a major company with a vulnerable network and Sony was the one they found.</p>Tue, 03 May 2011 01:38:00 +0000Thadcomment 270204 at http://gamepolitics.com